Search

Flash ROMs with a Raspberry Pi

I previously wrote a series of articles about my experience flashing
a ThinkPad X60 laptop with Libreboot. After that, the Libreboot project
expanded its hardware support to include the ThinkPad X200 series,
so I decided to upgrade. The main challenge with switching over to the
X200 was that unlike the X60, you can't perform the initial Libreboot
flash with software. Instead, you actually need to disassemble the laptop
to expose the BIOS chip, clip a special clip called a Pomona clip to it
that's wired to some device that can flash chips, cross your fingers
and flash.

I'm not generally a hardware hacker, so I didn't have any of the
special-purpose hardware-flashing tools that you typically would use to
do this right. I did, however, have a Raspberry Pi (well, many Raspberry
Pis if I'm being honest), and it turns out that both it and the Beaglebone
Black are platforms that have been used with flashrom successfully. So in
this article,
I describe the steps I performed to turn a regular
Raspberry Pi running Raspbian into a BIOS-flashing machine.

The Hardware

To hardware-flash a BIOS chip, you need two main pieces of hardware: a
Raspberry Pi and the appropriate Pomona clip for your chip. The Pomona
clip actually clips over the top of your chip and has little teeth that
make connections with each of the chip's pins. You then can wire up the
other end of the clip to your hardware-flashing device, and it allows you
to reprogram the chip without having to remove it. In my case, my BIOS
chip had 16 pins (although some X200s use 8-pin BIOS chips), so I ordered
a 16-pin Pomona clip on-line at almost the same price as a Raspberry Pi!

There is actually a really good guide on-line for flashing a number of
different ThinkPads using a Raspberry Pi and the NOOBS distribution; see
Resources if you want more
details. Unfortunately, that guide didn't exist when I first wanted to
do this, so instead I had to piece together what to do (specifically
which GPIO pins to connect to which pins on the clip) by combining
a general-purpose article on using flashrom on a Raspberry Pi with an
article on flashing an X200 with a Beaglebone Black. So although the guide I
link to at the end of this article goes into more depth and looks correct, I can't directly
vouch for it since I haven't followed its steps. The steps I list here
are what worked for me.

Pomona Clip Pinouts

The guide I link to in the Resources section has a great graphic that goes into detail
about the various pinouts you may need to use for various chips. Not all
pins on the clip actually need to be connected for the X200. In my case,
the simplified form is shown in Table 1 for my 16-pin Pomona clip.

Table 1. Pomona Clip Pinouts

SPI Pin Name

3.3V

CS#

S0/SIO1

GND

S1/SIO0

SCLK

Pomona Clip Pin #

2

7

8

10

15

16

Raspberry Pi GPIO Pin #

1 (17*)

24

21

25

19

23

So when I wired things up, I connected pin 2 of the Pomona clip to GPIO
pin 17, but in other guides, they use GPIO pin 1 for 3.3V. I list both
because pin 17 worked for me (and I imagine any 3.3V power source might
work), but in case you want an alternative pin, there it is.

Build Flashrom

There are two main ways to build flashrom. If you intend to build and
flash a Libreboot image from source, you can use the version of flashrom
that comes with the Libreboot source. You also can just build flashrom
directly from its git repository. Either way, you first will need to pull
down all the build dependencies:

In either circumstance, at the end of the process, you should have a
flashrom binary compiled for the Raspberry Pi ready to use.

Enable SPI

The next step is to load two SPI modules so you can use the GPIO pins to
flash. In my case, the Raspbian image I used did not default to enabling
that device at boot, so I had to edit /boot/config.txt as root and make
sure that the file contained dtparam=spi=on and then reboot.

Once I rebooted, I then could load the two spi modules:

$ sudo modprobe spi_bcm2708
$ sudo modprobe spidev

Now that the modules loaded successfully, I was ready to power down the
Raspberry Pi and wire everything up.

Wire Everything Up

To wire everything up, I opened up my X200 (unplugged and with the
battery removed, of course), found the BIOS chip (it is right under the
front wrist rest) and attached the clip. If you attach the clip while
the Raspberry Pi is still on, note that it will reboot. It's better to
make all of the connections while everything is turned off. Once I was
done, it looked like what you see in Figure 1.

Figure 1. Laptop Surgery

Then I booted the Raspberry Pi, loaded the two SPI modules and was able
to use flashrom to read off a copy of my existing BIOS:

sudo ./flashrom -p linux_spi:dev=/dev/spidev0.0
↪-r factory1.rom

Now, the thing about using these clips to flash hardware is that sometimes
the connections aren't perfect, and I've found that in some instances, I had
to perform a flash many times before it succeeded. In the above case, I'd
recommend that once it succeeds, you perform it a few more times and save
a couple different copies of your existing BIOS (at least three), and then
use a tool like sha256sum to compare them all. You may find that one or
more of your copies don't match the rest. Once you get a few consistent
copies that agree, you can be assured that you got a good copy.

After you have a good backup copy of your existing BIOS, you can attempt
a flash. It turns out that quite a bit has changed with the Libreboot-flashing process since the last time I wrote about it, so in a future
column, I will revisit the topic with the more up-to-date method to
flash Libreboot.

Resources

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia
Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at
BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.